MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
This PDF file contains a critical heuristic firing for a malicious redirector link, pointing to ttraff.com. The document body, though heavily obfuscated, contains the same URL and references a 'guide', suggesting a lure. The PDF also hosts a large number of external links, many pointing to static.usrfiles.com, which is likely part of a link farm to improve search engine ranking for malicious content. The ML classifier strongly supports the malicious verdict.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=blaser+r8+professional+guide
- https://static.usrfiles.com/ugd/accd1f_3d4b5ec1a5cb4587a30be93dec6f423e.pdf
- https://static.usrfiles.com/ugd/98857b_79e80092f75f4d12abf90d5716ceb558.pdf
- https://static.usrfiles.com/ugd/b8c837_ac1f4fb9224c400290d49ce88d731478.pdf
- https://static.usrfiles.com/ugd/8c0e65_f1a58699c49145e3aa360fd55622fad3.pdf
- https://static.usrfiles.com/ugd/0ebc1f_b178d52d16b1448ab393a23d9d025e9f.pdf
- https://static.usrfiles.com/ugd/b8c837_5d1585b03d2447ef80abc8ce87e08c31.pdf
- https://static.usrfiles.com/ugd/87a178_3e434e205f1843d49b645e843610814a.pdf
- https://static.usrfiles.com/ugd/b8c837_898e8e7762264120a1679a80c3bdadeb.pdf
- https://cdn.shopify.com/s/files/1/0430/8110/5562/files/5955573804.pdf
- https://cdn.shopify.com/s/files/1/0431/1800/2343/files/31113191339.pdf
- https://cdn.shopify.com/s/files/1/0432/3577/0535/files/rules_of_abbreviation.pdf
- https://cdn.shopify.com/s/files/1/0433/1700/2405/files/skyrim_vs_skyrim_special_edition_mods.pdf
- https://cdn.shopify.com/s/files/1/0431/7131/5876/files/zinc_plating_process_flow.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000751c.bine00a4739c51e490e6da6d7c5c1c0912597f426cebc8c63e84cf35d4698383e2d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x751C | 5252 bytes |
font_01_sfnt_off000086f4.bind72aa93ef5aa12fc3eb6392446583348ebadd4dd18d52ebaba6ffe204cbca381 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x86F4 | 13480 bytes |
font_02_sfnt_off0000b267.bin713933360072c9d59346590fad668f98c3603c6d2b72ed941ce85481f6af0b74 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB267 | 16060 bytes |
font_03_sfnt_off0000c6f9.bind1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC6F9 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.